I have a dashboard on which I have a large amount of data. It doesn't fit in one panel of the dashboard, is there an option of having a vertical scrollbar? I didn't find any documentation around this. Thanks! ... View more

I'm trying to extract XML fields from a report which is about 70-80 lines (maybe more). I receive the whole report as a single event because breaking it would make the report lose its meaning. I have been researching and trying out various means of field extraction for this report but nothing has worked out so far. If anyone can help me out with this, it'd be great. I tried xmlkv, spath, xpath, manual regex field extraction. When I try manual field extraction or xmklkv, it matches only the last occurence of the tag. For example, consider the following code sample: 192.168.X.X netsaint (5666/tcp) High 192.168.X.X ssh (22/tcp) Low When I use regex for field extraction or when I use xmlkv for say field level, I get only the last value (Low). Also, spath by default extracts fields from the first 5000 characters and I understand this can be changed in limits.conf, but I don't know how many characters my report would contain, so I dont know what I should set the value to. When I try spath like so: whatever_search|spath output=host path=objects.object.ip|top host the field host contains the whole xml report and not just the field I'm looking for. Can someone please suggest some alternative/solution to this? I have no option but using XML for this. ... View more

I am trying to parse XML reports (that I receive from OpenVas) in Splunk.But I am not able to find the right way to do it. I haven't found much documentation around this either. I've read up on whatever I could find, but nothing helped. I've tried xmlkv and xpath commands to try and parse the XML. But I am at a complete loss because these reports are really big and its difficult to find a correlation between the fields. I've been trying to figure this out for a couple of months but I haven't come up with a good solution so far. Also because some of the fields are deeply nested, its getting complicated to extract these fields keeping the structure intact. Is it a good idea to still attempt to parse these fields or should I consider changing the report format? As much as possible, I'd like to avoid that. I'm receiving this report on a port as a single event (meaning, the complete report of about 100 lines is indexed as a single event in Splunk). Any help on this will be greatly appreciated. I can provide a sample of the file if it is necessary. Thank you. ... View more

I have a Splunk indexer which hasn't been indexing logs from the past 3-4 days. I'm trying to troubleshoot and have gone through the usual checklist of items that I found by researching splunkbase. The most common reason, of course is disk being full. I have over 50% of the disk free. Second, I haven't configured my indexer as a forwarder. All the logs that I'm indexing are on the same box as the indexer. After reviewing splunkd.log, these are the only two things that stood out- 02-04-2012 10:58:48.643 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Mon Oct 29 09:24:24 2012) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. So just to debug the issue, in props.conf, I set: MAX_DAYS_HENCE=2000 MAX_DAYS_AGO=10951 (And restarted Splunk) because I thought Splunk was trying to index logs in the future. That didn't work either. This the other error message: 02-06-2012 05:11:34.353 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying... 02-06-2012 05:11:34.353 INFO TailingProcessor - ...continuing. Could someone please tell me firstly, does the DateParserVerbose Warning have anything to do with Splunk not indexing data AT ALL? Secondly, please tell me how I can resolve this. Any help will be appreciated. Thank you. ... View more

I'm attempting to extract statistics of user logins from a custom log format and create a bar chart. I have users A, B, C and D. The log format looks something like this. 1.Account Name: A Account Domain: some_domain **Account Name: B Account Domain: some_domain 2.Account Name: A Account Domain: some_domain **Account Name: C Account Domain: some_domain Basically I have user A appearing in every search result. As a result, my chart shows A as having the highest number of logins and because it occurs for every user, I cannot use NOT and remove that username from the search. It would show me 0 results. Can someone tell me a way I can remove just user A from my chart? I want to see logins from every other user except A in my chart. I'm new to Splunk and I have no idea on how to do this. ... View more